Businesses Must Disclose Cyberattacks Within 4 Days, Mandates US SEC: Who Will Have To Comply?

The U.S. Securities and Exchange Commission has mandated that businesses must come forth and admitted they were either hacked or their security was compromised. The SEC has even set up a deadline of just four days from the cyberattack.

To protect the best interests of consumers, customers, and shareholders, businesses must disclose any successful attempts to infiltrate their data networks and theft. Let’s look at the newly adopted rules and regulations which could deeply impact how businesses remain accountable to their stakeholders.

Companies Need To Be Open And Transparent About Cyberattacks And Data Thefts

The US SEC has adopted new rules that essentially compel publicly traded companies to disclose cyberattacks within four business days. The SEC has categorically mentioned “material incidents,” which essentially means content that a public company’s shareholders would consider important “in making an investment decision.” Attempting to explain the same, SEC Chair Gary Gensler said:

“Whether a company loses a factory in a fire – or millions of files in a cybersecurity incident – it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors.”

“I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

SEC sets new cyberattack disclosure rules, affecting top crypto firms like Coinbase, Marathon Digital, and Riot Blockchain. This regulation ensures increased transparency and protection for investors. #SEC #cybersecurity #cryptocurrency $COIN $MARA $RIOT

— Block Savvy (@Block_Savvy) July 28, 2023

Disclosures Boost Transparency, Trust, And Accountability

Cyber threats and cyberattacks are growing at an unprecedented rate. Organized Advanced Persistent Threat (APT) groups have been going after businesses, and often succeed in planting ransomware or stealing data.

The new rules will not only make companies more accountable but will also ensure they remain vigilant. This is primarily because such disclosers could negatively impact the reputation of the company, especially if their security is repeatedly compromised.

Yesterday the SEC adopted rules requiring registrants to disclose material cybersecurity incidents they experience, along with other annual cybersecurity disclosure requirements.

Learn more here: https://t.co/8hIwUdTSR4 #SEC #cybersecurity #disclosure #compliance pic.twitter.com/sA3r8MNdr5

— Core Compliance (@CoreCLS) July 27, 2023

The new rules assures investors are promptly notified about security incidents that impact listed companies. This will help improve their understanding of cybersecurity risk management and strategy, even if at the most basic level.

It appears the rules pertaining to disclosures of cyberattacks do not apply to private businesses. Moreover, the four-day disclosure timeline can be postponed if the U.S. Attorney General determines that an immediate disclosure would pose a significant risk to national security or public safety.